Hoisting dependencies with peerDependencies can lead to unmet peer dependencies

[filipesilva]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's going wrong?

There seems to be a problem with how npm@5.6.0 hoists dependencies that have peer dependencies.

I have prepare a repro at https://github.com/filipesilva/ajv-peerdep-issue. Running npm install in this repository will show the following warning:

npm WARN ajv-keywords@3.1.0 requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself.

The following dependencies are relevant:

• this repro itself depends on two packages: ajv@5.5.2 and webpack@3.11.0.
• webpack@3.11.0 depends on ajv@^6.1.0 and ajv-keywords@^3.1.0.
• ajv-keywords@3.1.0 has a peer dependency on ajv@^6.0.0

When npm resolves these dependencies they end up looking like this:

ajv-peerdep-issue@1.0.0 D:\sandbox\ajv-peerdep-issue
`-- ajv@5.5.2
`-- ajv-keywords@3.1.0
`-- webpack@3.11.0
  `-- ajv@6.1.0

This is a problem because the hoisted ajv-keywords@3.1.0 will not have its peer dependency on ajv@^6.0.0 met.

How can the CLI team reproduce the problem?

git clone https://github.com/filipesilva/ajv-peerdep-issue
cd ajv-peerdep-issue
npm i

npm WARN ajv-keywords@3.1.0 requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself.

supporting information:

• npm -v prints: 5.6.0
• node -v prints: 8.9.4
• npm config get registry prints: https://registry.npmjs.org/
• Windows, OS X/macOS, or Linux?: Windows 10

[bjornstar]

I have also created a simplified reproduction of this issue: @peer-deps-repro/main

This looks like another example of #15708

[filipesilva]

@bjornstar it does look like the same, yes. I added a comment there.

[not-an-aardvark]

We encountered this issue in ESLint too: eslint/eslint#10022

[ghost]

Encountered this issue in standard too: standard/standard#1078 (comment)

[billyjanitsch]

This has been the case for awhile -- the npm hoisting algorithm doesn't currently consider whether a package's peer dependencies will be satisfied when hoisting it.

There was a quick/dirty fix in npm 5.2.0 but it was rolled back in 5.3.0 because they wanted to fix it properly & the naive fix broke users with questionable dependency workflows.

It's an uncommon scenario but once in awhile it comes up in a popular package (in this case, eslint). The npm CLI team is aware of it.

[jeffora]

It's also possible to hit this with @angular/cli with the following:

"devDependencies": {
  "@angular/cli": "^1.7.2",
  "@angular-devkit/core": "0.2.0"
}

This will cause @schematics/* packages to complain about missing peer dependency @angular-devkit/core and for ng * commands to crash.

Tested with npm@5.6.0 and npm@5.7.1.

Works correctly with yarn.

[1st]

I see the red highlight on this part:

  │ ├─┬ table@4.0.3
  │ │ ├─┬ UNMET PEER DEPENDENCY ajv@6.2.1
  │ │ │ ├── fast-deep-equal@1.1.0 deduped
  │ │ │ ├── fast-json-stable-stringify@2.0.0 deduped
  │ │ │ └── json-schema-traverse@0.3.1 deduped
  │ │ ├── ajv-keywords@3.1.0
  │ │ ├─┬ chalk@2.3.2
  │ │ │ ├── ansi-styles@3.2.1 deduped
  │ │ │ ├── escape-string-regexp@1.0.5 deduped
  │ │ │ └── supports-color@5.3.0 deduped
  │ │ ├── lodash@4.17.5 deduped
  │ │ ├─┬ slice-ansi@1.0.0
  │ │ │ └── is-fullwidth-code-point@2.0.0 deduped
  │ │ └── string-width@2.1.1 deduped
  │ └── text-table@0.2.0

and this message in the end:

npm ERR! peer dep missing: ajv@^6.0.0, required by ajv-keywords@3.1.0